blob: c4c06b2a0939cbd2e4a68a5afab0573e917f4cd7 [file] [log] [blame]
Matthias Andreas Benkardb382b102021-01-02 15:32:21 +01001
2 include /etc/nginx/mime.types;
3 charset utf-8;
4 override_charset on;
5
6 ssl_protocols TLSv1.2 TLSv1.3;
7 ssl_prefer_server_ciphers on;
8 ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
9 ssl_ecdh_curve X25519:X448:secp384r1:secp256k1;
10 ssl_session_cache shared:SSL:50m;
11 ssl_session_timeout 1d;
12 ssl_session_tickets off;
13
14 add_header Strict-Transport-Security "max-age=15768000;";
15 add_header X-Content-Type-Options nosniff;
16 add_header X-XSS-Protection "1; mode=block";
17 add_header X-Robots-Tag none;
18 add_header X-Download-Options noopen;
19 add_header X-Frame-Options "SAMEORIGIN" always;
20 add_header X-Permitted-Cross-Domain-Policies none;
21 add_header Referrer-Policy strict-origin;
22
23 index index.php index.html;
24
25 client_max_body_size 0;
26
27 gzip on;
28 gzip_disable "msie6";
29
30 gzip_vary on;
31 gzip_proxied off;
32 gzip_comp_level 6;
33 gzip_buffers 16 8k;
34 gzip_http_version 1.1;
35 gzip_min_length 256;
36 gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;
37
38 location ~ ^/(fonts|js|css|img)/ {
39 expires max;
40 add_header Cache-Control public;
41 }
42
43 error_log /var/log/nginx/error.log;
44 access_log /var/log/nginx/access.log;
45 fastcgi_hide_header X-Powered-By;
46 absolute_redirect off;
47 root /web;
48
49 location / {
50 try_files $uri $uri/ @strip-ext;
51 }
52
53 location /qhandler {
54 rewrite ^/qhandler/(.*)/(.*) /qhandler.php?action=$1&hash=$2;
55 }
56
57 location /edit {
58 rewrite ^/edit/(.*)/(.*) /edit.php?$1=$2;
59 }
60
61 location @strip-ext {
62 rewrite ^(.*)$ $1.php last;
63 }
64
65 location ~ ^/api/v1/(.*)$ {
66 try_files $uri $uri/ /json_api.php?query=$1;
67 }
68
69 location ^~ /.well-known/acme-challenge/ {
70 allow all;
71 default_type "text/plain";
72 }
73
74 # If behind reverse proxy, forwards the correct IP
75 set_real_ip_from 10.0.0.0/8;
76 set_real_ip_from 172.16.0.0/12;
77 set_real_ip_from 192.168.0.0/16;
78 set_real_ip_from fc00::/7;
79 real_ip_header X-Forwarded-For;
80 real_ip_recursive on;
81
82 rewrite ^/.well-known/caldav$ /SOGo/dav/ permanent;
83 rewrite ^/.well-known/carddav$ /SOGo/dav/ permanent;
84
85 location ^~ /principals {
86 return 301 /SOGo/dav;
87 }
88
89 location ~ \.php$ {
90 try_files $uri =404;
91 fastcgi_split_path_info ^(.+\.php)(/.+)$;
92 fastcgi_pass phpfpm:9002;
93 fastcgi_index index.php;
94 include /etc/nginx/fastcgi_params;
95 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
96 fastcgi_param PATH_INFO $fastcgi_path_info;
97 fastcgi_read_timeout 3600;
98 fastcgi_send_timeout 3600;
99 }
100
101 location /rspamd/ {
102 location /rspamd/auth {
103 # proxy_pass is not inherited
104 proxy_pass http://rspamd:11334/auth;
105 proxy_intercept_errors on;
106 proxy_set_header Host $http_host;
107 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
108 proxy_set_header X-Real-IP $remote_addr;
109 proxy_redirect off;
110 error_page 403 /_rspamderror.php;
111 }
112 proxy_pass http://rspamd:11334/;
113 proxy_set_header Host $http_host;
114 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
115 proxy_set_header X-Real-IP $remote_addr;
116 proxy_redirect off;
117 }
118
119 location ~* ^/Autodiscover/Autodiscover.xml {
120 fastcgi_split_path_info ^(.+\.php)(/.+)$;
121 fastcgi_pass phpfpm:9002;
122 include /etc/nginx/fastcgi_params;
123 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
124 try_files /autodiscover.php =404;
125 }
126
127 location ~* ^/Autodiscover/Autodiscover.json {
128 fastcgi_split_path_info ^(.+\.php)(/.+)$;
129 fastcgi_pass phpfpm:9002;
130 include /etc/nginx/fastcgi_params;
131 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
132 try_files /autodiscover-json.php =404;
133 }
134
135 location ~ /(?:m|M)ail/(?:c|C)onfig-v1.1.xml {
136 fastcgi_split_path_info ^(.+\.php)(/.+)$;
137 fastcgi_pass phpfpm:9002;
138 include /etc/nginx/fastcgi_params;
139 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
140 try_files /autoconfig.php =404;
141 }
142
143 # auth_request endpoint if ALLOW_ADMIN_EMAIL_LOGIN is set
144 location /sogo-auth-verify {
145 internal;
146 proxy_set_header X-Original-URI $request_uri;
147 proxy_set_header X-Real-IP $remote_addr;
148 proxy_set_header Host $http_host;
149 proxy_set_header Content-Length "";
150 proxy_pass http://127.0.0.1:65510/sogo-auth;
151 proxy_pass_request_body off;
152 }
153
154 location ^~ /Microsoft-Server-ActiveSync {
155 include /etc/nginx/conf.d/sogo_proxy_auth.active;
156 include /etc/nginx/conf.d/sogo_eas.active;
157 proxy_connect_timeout 75;
158 proxy_send_timeout 3600;
159 proxy_read_timeout 3600;
160 proxy_buffers 64 256k;
161 proxy_set_header X-Real-IP $remote_addr;
162 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
163 proxy_set_header Host $http_host;
164 client_body_buffer_size 512k;
165 client_max_body_size 0;
166 }
167
168 location ^~ /SOGo {
169 include /etc/nginx/conf.d/sogo_proxy_auth.active;
170 include /etc/nginx/conf.d/sogo.active;
171 proxy_set_header X-Real-IP $remote_addr;
172 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
173 proxy_set_header Host $http_host;
174 proxy_set_header x-webobjects-server-protocol HTTP/1.0;
175 proxy_set_header x-webobjects-remote-host $remote_addr;
176 proxy_set_header x-webobjects-server-name $server_name;
177 proxy_set_header x-webobjects-server-url $client_req_scheme://$http_host;
178 proxy_set_header x-webobjects-server-port $server_port;
179 proxy_send_timeout 3600;
180 proxy_read_timeout 3600;
181 client_body_buffer_size 128k;
182 client_max_body_size 0;
183 break;
184 }
185
186 location ~* /sogo$ {
187 return 301 $client_req_scheme://$http_host/SOGo;
188 }
189
190 location /SOGo.woa/WebServerResources/ {
191 alias /usr/lib/GNUstep/SOGo/WebServerResources/;
192 }
193
194 location /.woa/WebServerResources/ {
195 alias /usr/lib/GNUstep/SOGo/WebServerResources/;
196 }
197
198 location /SOGo/WebServerResources/ {
199 alias /usr/lib/GNUstep/SOGo/WebServerResources/;
200 }
201
202 location (^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$) {
203 alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
204 }
205
206 include /etc/nginx/conf.d/site.*.custom;
207
208 error_page 502 @awaitingupstream;
209
210 location @awaitingupstream {
211 rewrite ^(.*)$ /_status.502.html break;
212 }
213
214 location ~ ^/cache/(.*)$ {
215 try_files $uri $uri/ /resource.php?file=$1;
216 }